It is generally bad form to reuse the same key for encryption and authentication in an "encrypt then MAC" scheme. For example, in the naive encrypt then MAC scheme, we use a randomized CBC block cipher and MAC the cipher text but an attacker can pass in all 0 messages to violate the CPA security condition.

However, what if we used dependent but not the same keys?

For example, if the key used for MAC is of the form $k' = k \oplus V$ for some fixed value $V$. Is this still bad form, i.e. would there be an encrypt then MAC scheme which is insecure?

$\begingroup$If something breaks a scheme it is much worse than bad form. Bad form is for the case when something might be bad.$\endgroup$
– EliasMar 23 '17 at 17:08

$\begingroup$This is the point where you have to assume your block cipher is secure against certain classes of related-key attacks which is quite a strong assumption usually (even though many iphers pass here).$\endgroup$
– SEJPM♦Mar 24 '17 at 16:41

1 Answer
1

This is indeed best way to do it. As the final $(cbc\oplus cipher)$ encrypted by a different key even if we pass 0 messages it do not reveal any information. Previously passing on 0 messages gave encrypted cbc (which is later $\oplus$ed encrypted ($cbc\oplus cipher$) to reveal information) now as the key used is different even if the encrypted cbc (on passing 0 messages) is known it wont reveal information.